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1 DETAILED ACTION 

2 

3 Claims 1 - 25 are pending. 

4 This action is in response to the communication filed on 4/25/2006. 

5 All objections and rejections not set forth below have been withdrawn. 
6 

7 Drawings 

8 

9 Figures 1 should be designated by a legend such as -Prior Art- because only 

10 that which is old is illustrated. See MPEP § 608.02(g). Corrected drawings in 

1 1 compliance with 37 CFR 1.121 (d) are required in reply to the Office action to avoid 

12 abandonment of the application. The replacement sheet(s) should be labeled 

1 3 "Replacement Sheet" in the page header (as per 37 CFR 1 .84(c)) so as not to obstruct 

14 any portion of the drawing figures. If the changes are not accepted by the examiner, the 

1 5 applicant will be notified and informed of any required corrective action in the next Office 

16 action. The objection to the drawings will not be held in abeyance. 
17 

18 
19 
20 
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1 Specification 

2 

3 The specification is objected to as failing to provide proper antecedent basis for 

4 the claimed subject matter. See 37 CFR 1 .75(d)(1 ) and MPEP § 608.01 (o). Correction 

5 of the following is required: 

6 The specification does not provide antecedent basis for the added limitations of 



7 claims 1 - 25 for "requesting that the user computer resubmit the request and 

8 subsequently executing the resubmitted request only upon determining that it does not 

9 contain the marker of active content". 
10 

11 



1 2 Claim Rejections - 35 USC §112 

13 

14 The following is a quotation of the first paragraph of 35 U.S.C. 112: 

1 5 The specification shall contain a written description of the invention, and of the manner and process of 

1 6 making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 

17 art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 

1 8 set forth the best mode contemplated by the inventor of carrying out his invention. 
19 

20 

21 Claims 1-25 are rejected under 35 U.S.C. 112, first paragraph, as failing to 



22 comply with the written description requirement. The claim(s) contains subject 

23 matter which was not described in the specification in such a way as to 

24 reasonably convey to one skilled in the relevant art that the inventor(s), at the 
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1 time the application was filed, had possession of the claimed invention. See 

2 above objection to the specification. 
3 

4 The following is a quotation of the second paragraph of 35 U.S.C. 112: 

5 The specification shall conclude with one or more claims particularly pointing out and distinctly 

6 claiming the subject matter which the applicant regards as his invention. 
7 

8 Claims 1-25 are rejected under 35 U.S.C. 112, second paragraph, as being 

9 indefinite for failing to particularly point out and distinctly claim the subject 

1 0 matter which applicant regards as the invention. 

1 1 Claims 1 , 8, and 1 8 each recite the limitation "the resubmitted request" (i.e. claim 



12 1, line 13). There is insufficient antecedent basis for this limitation in the claims, as the 

1 3 claims do not provide the limitation that a request has been resubmitted. For the 

14 purposes of examination, the examiner will presume the applicant to refer to "a 

15 resubmitted request". 
16 



1 7 All other claims are rejected by virtue of dependency. 

18 

19 

20 Claim Rejections - 35 USC § 103 

21 

22 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

23 obviousness rejections set forth in this Office action: 

24 (a) A patent may not be obtained though the invention is not identically disclosed or described as set 

25 forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
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1 the prior art are such that the subject matter as a whole would have been obvious at the time the 

2 invention was made to a person having ordinary skill in the art to which said subject matter pertains. 

3 Patentability shall not be negatived by the manner in which the invention was made. 

4 

5 Claims 1 - 6, 8 - 13, 15 - 23, and 25 are rejected under 35 U.S.C. 103(a) as 



6 being unpatentable over CERT CC, "CERT Advisory CA-2000-02 Malicious HTML 

7 Tags Embedded in Client Web Requests" (CERT-Advisory) in view of CERT CC, 

8 "Understanding Malicious Content Mitigation for Web Developers" (CERT) in view 

9 of Hidalgo et al. (Hidalgo), "Firewalls for Providing Security in Http Networks and 

1 0 Applications", U.S. Patent 2002/0051 142 in view of Fielding et al. (Fielding), 

1 1 "Hyptertext Transfer Protocol - HTTP/1 .1 ", RFC 261 6. 
12 



13 Regarding claim 8, CERT-Advisory discloses: 

1 4 receiving an HTTP request at a server computer, wherein the H TTP request 

1 5 includes input data that was not generated by the server computer (CERT-Advisory, 

16 page 1, Systems Affected, Overview; page 2, pars. 2-4). 

1 7 CERT-Advisory discloses, in general, that the Server site attempts to filter the 



1 8 incoming HTTP request according to the criteria of removing dangerous meta- 

19 characters, so as to prevent their sites from being attacked, "abused", by malicious data 

20 or a cross-site scripting attack (CERT-Advisory, page 5, Solutions for Web Page 

21 Developers and Web Site Administrators). While one of ordinary skill in the art would 

22 rightly and easily conclude from the context of CERT-Advisory that the incoming meta- 

23 characters being filtered are being evaluated against known scripting constructs or 

24 characters, CERT-Advisory does not explicitly say the evaluation is to determine if the 

25 input data includes a script construct, wherein the script construct indicates that HTTP 
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1 request is part of a cross-site scripting attack. Instead, CERT-Advisory directs the 

2 readers' attention to the detailed solution (found in CERT) for preventing cross-site 

3 scripting attacks in response to receiving HTTP requests comprising malicious scripts. 

4 CERT discloses the specifics for mitigating cross-site scripting attacks by 

5 evaluating the incoming data requests to determine the presences of dangerous meta- 

6 characters, indicating the presence of malicious scripts (CERT, page 1 , par. 1 , Problem 

7 Summary, pars. 2-3; page 2, Mitigation Summary; page 3, Identifying the Special 

8 Characters; page 4, Filtering Dynamic Content). CERT, thus clearly demonstrates that 

9 the filtering of input data for dangerous meta-characters is an evaluation of the 

1 0 presence of malicious script constructs. 

1 1 It would have been obvious to one of ordinary skill in the art to combine the 

12 teachings of CERT, for evaluating input data for script constructs - in addition to other 

1 3 specific teachings of CERT for mitigating cross-site scripting attacks - with the system of 

14 CERT-Advisory. This would have been obvious because CERT-Advisory explicitly says 

15 to include the reference of CERT so as to successfully mitigate cross-site scripting 

16 attacks (CERT-Advisory, page 5, par. 6). 

1 7 The combination of CERT-Advisory and CERT discloses refusing to execute 

1 8 HTTP request and thereby preventing the cross-site scripting attack if the input data 

19 includes a script construct (CERT-Advisory, pg. 1 , "Overview"; pg. 2, "Malicious code 

20 sent inadvertently by a client for itself; CERT, pg. 1 , par. 1 ; pg. 2-4, "Mitigation 

21 Summary"). Herein, the combination shows that malicious HTTP requests are not 
-22 executed. Furthermore, the combination discloses filtering and encoding to remove 



Application/Control Number: 10/600,683 Page 7 

Art Unit: 2137 

1 malicious scripts and data for every HTTP request. That which is subsequently 

2 executed is not the original malicious request. Thus, the combination teaches 

3 subsequently executing the resubmitted HTTP request only upon determining that it 

4 does not contain the script construct (note that any ["resubmitted"] malicious request is 

5 not executed). 

6 The combination of CERT-Advisory and CERT discloses a system for mitigating 

7 cross-site scripting attacks by evaluating the incoming HTTP data requests to determine 

8 the presence of a malicious script. The combination does not disclose informing the 

9 user computer that a marker of active content has been discovered in the request, 

1 0 namely generating a response indicating that a script construct indicative of a cross-site 

1 1 scripting attack has been received. 

12 Hidalgo also discloses a system for mitigating cross-site scripting attacks that 

13 stem from invalid HTTP requests (Hidalgo, par. 14, 58-66). Hidalgo teaches that when 

14 invalid HTTP requests are discovered, a system can send an informative error alert to 

1 5 the user that sent the invalid request. 

16 It would have been obvious to one of ordinary skill in the art to combine the 

17 teachings of Hidalgo within the combination of CERT-Advisory and CERT. This would 

18 have been obvious because one of ordinary skill in the art would have been motivated 

19 by inform users of danger or possible malicious activity and thus create a more user- 

20 friendly and informative system. 

21 The combination of CERT-Advisory, CERT, and Hidalgo discloses the sending of 

22 an error to the user to inform the user that an invalid HTTP request has been received. 
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1 The combination also teaches that information regarding malicious content enables one 

2 to recognize attacks and take proactive measures (CERT, pg. 1, "Problem Summary", 

3 par. 1). The combination, however, does not disclose providing information that would 

4 request resubmission of the HTTP request. 

5 Fielding discloses that error messages for invalid HTTP requests indicate that an 

6 error has occurred on the user side (Fielding, pg. 65, sect. 10.4). Fielding discloses 

7 that such error messages will inform that resubmitted requests should be corrected 

8 (Fielding, pg. 65, sect. 10.4.1) or be used in situations where the user is expected to 

9 take corrective measures and resubmit the request (Fielding, pg. 67, sect. 10.4.10). 

10 It would have been obvious to one of ordinary skill in the art to incorporate the 

1 1 teachings of Fielding within the error messages of the combination of CERT-Advisory, 

12 CERT, and Hidalgo, and thus provide information to the user that a resubmitted HTTP 

13 request is desired. This would have been obvious because one of ordinary skill in the 

14 art would have been motivated to allow a user to learn and take proactive measures to 

15 ensure the safety of his/her communications. For example, a user could be informed 

16 that his HTTP request, which was submitted by clicking on a link, was invalid or 

17 malicious and would be encouraged to safely resubmit a subsequent request, such as 

18 by manually keying in the correct URL. 
19 

20 Regarding claim 9, the combination of CERT-Advisory, CERT, Hidalgo, and 

21 Fielding disclose: 
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1 at least one of: receiving a query string that includes at least one query string 

2 variable; receiving a cookie; receiving one or more headers in the HTTP request; and 

3 receiving one or more form fields (CERT-Advisory, page 2, pars. 2-5; CERT, page 2, 

4 Mitigation Summary). 
5 

6 Regarding claim 10, the combination of CERT-Advisory, CERT, Hidalgo, and 

7 Fielding disclose: 

8 at least one of: searching the HTTP request for one or more character 



9 combinations that correspond to a script construct; searching the HTTP request for an 

1 0 event that includes a script construct; searching server variables that derive input data 

1 1 from another source; and searching the HTTP request for an expression that includes a 

12 script construct (CERT, page 3, Identifying the Special Characters; page 4, Filtering 

1 3 Dynamic Content). 
14 



1 5 Regarding claim 1 1 , the combination of CERT-Advisory, CERT, Hidalgo, and 

16 Fielding disclose: 

1 7 searching the input data for a script construct (CERT, page 3, Identifying the 

18 Special Characters; page 4, Filtering Dynamic Content). 
19 

20 Regarding claim 12, the combination of CERT-Advisory, CERT, Hidalgo, and 

21 Fielding disclose: 
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searching for patterns associated with scripts (CERT, page 3, Identifying the 



2 



Special Characters; page 4, Filtering Dynamic Content). 



3 



4 



Regarding claim 13, the combination of CERT-Advisory, CERT, Hidalgo, and 



5 



Fielding disclose: 



6 



refraining from executing the HTTP request (CERT-Advisory, page 2, par. 1 ; 



7 page 5, pars. 3-6). In addition to plainly refraining from executing a compromised HTTP 

8 request, CERT-Advisory also discloses the filtering and/or recoding of a compromised 

9 request into a well-formed HTTP request, thus refraining from executing the 
10 compromised HTTP request. 

11 

12 Regarding claim 15, the combination of CERT-Advisory, CERT, Hidalgo, and 

13 Fielding disclose: 

1 4 encoding the user input including the script construct to render the script inert 

15 (CERT-Advisory, page 2, par. 1; page 5, pars. 3-6; CERT, page 3, Identifying the 

16 Special Characters; page 4, par. 2). 
17 

18 Regarding claim 16, the combination of CERT-Advisory, CERT, Hidalgo, and 

19 Fielding disclose: 

20 evaluating the HTTP request to determine in the input data includes a marker of 

21 active content (CERT, page 2, Mitigation Summary - particularly steps 2 and 4; page 3, 

22 Identifying the Special Characters). 
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1 

2 Regarding claim 17, the combination of CERT-Advisory, CERT, Hidalgo, and 

3 Fielding disclose: 

4 determining if the marker of active content is within a particular element, wherein 



5 the marker of active content is harmful only when rendered within the particular element 

6 (CERT, page 2, Mitigation Summary - particularly steps 2 and 4 (identifying special 

7 characters, filtering specific characters in dynamic elements; page 3, Identifying the 

8 Special Characters). 
9 



10 Regarding claims 1 - 3, 5, 6, 18 - 23, and 25, they are method and method 

1 1 embodied on computer readable medium claims corresponding to the system claims 1 - 

12 17, and they are rejected, at least, for the same reasons. 
13 

14 Regarding claim 4, the combination of CERT-Advisory, CERT, Hidalgo, and 



1 5 Fielding disclose: evaluating only a portion of the request that includes the data derived 

16 from an outside source (CERT, page 2, Mitigation Summary). The combination of 

17 CERT-Advisory and CERT discloses the need to evaluate data comprising untrusted 

18 input that could be transmitted in an HTTP request. 
19 

20 Claims 7, 14, and 24 are rejected under 35 U.S.C. 103(a) as being 

21 unpatentable over the combination of CERT-Advisory, CERT, Hidalgo, and 



Application/Control Number: 10/600,683 Page 12 

Art Unit: 2137 

1 Fielding in view of Fischman et al. (Fischman), U.S. Patent Publication 

2 2003/0097588. 

3 

4 Regarding claim 14, the combination of CERT-Advisory and CERT does not 

5 disclose the logging of attacks to the system. Namely, the combination of CERT- 

6 Advisory and CERT does not disclose wherein preventing the cross-site scripting attack 

7 if the input data includes a script construct further comprises logging an event at the 

8 server computer. 

9 Fischman discloses a method wherein attacks to the security of a server system 

10 are logged. This allows the operators of the system to access the log and become 

1 1 aware of problems and to make proper adjustments if necessary (Fischman, par. 45). 

12 It would be obvious to one of ordinary skill in the art to employ the method of 

13 Fischman for logging system attacks within the system of the combination of CERT- 

14 Advisory and CERT. This would have been obvious, because one of ordinary skill in 

1 5 the art would have been motivated to provide the proactive benefits of logging taught by 

16 Fischman to the operators of the attacked web server of the combination CERT- 

17 Advisory and CERT, thus enabling the server operators to access a an attack log and 

18 make system improvements. 
19 
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1 



Response to Arguments 



2 



3 



Applicant's arguments filed 4/25/06 have been fully considered but they are not 



4 persuasive. 



5 



Applicant's arguments with respect to claims 1 - 25 have been considered but are 



6 moot in view of the new ground(s) of rejection. 
7 

8 Applicant's argue primarily that: 
9 

1 0 (i). For example, Figure 1 illustrates a block diagram of a network environment in 

1 1 which an electronic message may be used in facilitating a cross-scripting attack of a 

1 2 "Hello" HTML page returned from a server to a user computer. The displayed user 

1 3 computer and server can also be construed to include the inventive modules and 

1 4 computer-executable instructions described throughout the application (although they 

1 5 are not explicitly referenced in Figure 1). Nevertheless one of skill in the art would 

1 6 recognize their presence in view of the disclosure of the application. (Remarks, pg. 1 1 

17 - applicants' reason for the traversal of the objection to drawing 1 ) 
18 

1 9 In response, the examiner respectfully points out that figure 1 is Prior Art, as 

20 figure 1 illustrates only that which was known. 
21 

22 
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1 Conclusion 

2 

3 The prior art made of record and not relied upon is considered pertinent to 

4 applicant's disclosure: 

5 See Notice of References Cited 
6 

7 Applicant's amendment necessitated the new ground(s) of rejection presented in 

8 this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

9 § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 

10 CFR 1.136(a). 

1 1 A shortened statutory period for reply to this final action is set to expire THREE 



12 MONTHS from the mailing date of this action. In the event a first reply is filed within 

1 3 TWO MONTHS of the mailing date of this final action and the advisory action is not 

14 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

1 5 shortened statutory period will expire on the date the advisory action is mailed, and any 

1 6 extension fee pursuant to 37 CFR 1 . 1 36(a) will be calculated from the mailing date of 

17 the advisory action. In no event, however, will the statutory period for reply expire later 

1 8 than SIX MONTHS from the date of this final action. 

1 9 Any inquiry concerning this communication or earlier communications from the 

20 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

21 7965. The examiner can normally be reached on 8:30-5:00. 
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1 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

2 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

3 number for the organization where this application or proceeding is assigned is 571 - 

4 273-8300. 

5 Information regarding the status of an application may be obtained from the 

6 Patent Application Information Retrieval (PAIR) system. Status information for 

7 published applications may be obtained from either Private PAIR or Public PAIR. 

8 Status information for unpublished applications is available through Private PAIR only. 

9 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

10 you have questions on access to the Private PAIR system, contact the Electronic 

1 1 Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 

12 USPTO Customer Service Representative or access to the automated information 

13 system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
14 

15 

16 J.Williams 

17 AU:2137 



